Zope AccessControl Security Fix: Anonymous Users Can Delete User Data
CVE-2024-51734

8.7HIGH

Key Information:

Vendor
CVE Published:
4 November 2024

What is CVE-2024-51734?

A security flaw in Zope AccessControl allows anonymous users to delete critical user data managed by the UserFolder. This can disrupt privileged access and compromise user security. The issue has been resolved in version 7.2. To mitigate the risk, users unable to upgrade should modify their UserFolder by adding 'data__roles__ = ()'. It is essential for users to take action promptly to protect their data.

Affected Version(s)

AccessControl Zope AccessControl: < 7.2 < Zope AccessControl: 7.2

AccessControl Zope bundle: < 5.11.1 < Zope bundle: 5.11.1

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

.